Overview

overview

7

Static

static

3

2024-03-11...py.exe

windows7-x64

7

2024-03-11...py.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 23:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-11_decd00defd7750461472b3bd19651b7b_mafia_nionspy.exe

  • Size

    274KB

  • MD5

    decd00defd7750461472b3bd19651b7b

  • SHA1

    3d24c653e76d00aefd95f553bcceb3820ccb23fc

  • SHA256

    98f50f6e0ef0a766a27f06c9bbd8df049e07ed360347a440bf48b755a50bd6f4

  • SHA512

    147d8e2bdec4f066a8e0483ea18cea6b47d6d80422334b5e7f6fbf610dae43b41bf311e5958ec47367894b83a49419d85500e53f90f8577ec312a67516aa90d4

  • SSDEEP

    6144:EYvZ6brUj+bvqHXSpWr2Kqz83Oad3Jg4PlPDIQ+KLzDDg:EYvEbrUjp3SpWggd3JBPlPDIQ3g

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-11_decd00defd7750461472b3bd19651b7b_mafia_nionspy.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-11_decd00defd7750461472b3bd19651b7b_mafia_nionspy.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3504
      • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe"
        3⤵
        • Executes dropped EXE
        PID:3664

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Posix\lsassys.exe
          Filesize

          274KB

          MD5

          2a354de3ee79bb98b49c492f3038c526

          SHA1

          a37043888efc578d04cc16c7e8dac292cb223167

          SHA256

          2e9abc861b54b96cee4379281ea70655f81e714005592880a5deeae6a7b8e1ed

          SHA512

          0d4c4586e20832e53376189538b027d64594be51f3049ed6cdf78b1ce6ef18f5a20ecbed027068b93330c0f5d0839f9fb2edb576f4e8f87b615564a9b58897ff

          Download Submit